---

- name: RedHat/CentOS/Fedora | Add OpenDistro repo
  yum_repository:
    file: opendistro
    name: opendistro_repo
    description: Opendistro yum repository
    baseurl: "{{ package_repos.yum.opendistro.baseurl }}"
    gpgkey: "{{ package_repos.yum.opendistro.gpg }}"
    gpgcheck: true
  changed_when: false

- name: RedHat/CentOS/Fedora | Add Elasticsearch-oss repo
  yum_repository:
    file: opendistro
    name: elasticsearch_oss_repo
    description: Elasticsearch-oss yum repository
    baseurl: "{{ package_repos.yum.elasticsearch_oss.baseurl }}"
    gpgkey: "{{ package_repos.yum.elasticsearch_oss.gpg }}"
    gpgcheck: true
  changed_when: false

- name: RedHat/CentOS/Fedora | Install OpenJDK 11
  yum: name=java-11-openjdk-devel state=present

- name: RedHat/CentOS/Fedora | Install OpenDistro dependencies
  yum:
    name: "{{ packages }}"
  vars:
    packages:
    - wget
    - unzip

- name: RedHat/CentOS/Fedora | Install OpenDistro
  package: name=opendistroforelasticsearch-{{ opendistro_version }} state=present
  register: install


- name: RedHat/CentOS/Fedora | Copy the node & admin certificates to Elasticsearch cluster
  copy:
    src: "/tmp/opendistro-nodecerts/config/{{ item }}"
    dest: /etc/elasticsearch/
    mode: 0644
  with_items:
    - root-ca.pem
    - root-ca.key
    - "{{ inventory_hostname }}.key"
    - "{{ inventory_hostname }}.pem"
    - "{{ inventory_hostname }}_http.key"
    - "{{ inventory_hostname }}_http.pem"
    - "{{ inventory_hostname }}_elasticsearch_config_snippet.yml"
    - admin.key
    - admin.pem
  when: install.changed

- name: RedHat/CentOS/Fedora | Copy the opendistro security configuration file to cluster
  blockinfile:
    block: "{{ lookup('file', '/tmp/opendistro-nodecerts/config/{{ inventory_hostname }}_elasticsearch_config_snippet.yml') }}"
    dest: "{{ conf_dir }}/elasticsearch.yml"
    backup: yes
    insertafter: EOF
    marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
  when: install.changed

- name: RedHat/CentOS/Fedora | Prepare the opendistro security configuration file
  command: sed -i 's/searchguard/opendistro_security/g' {{ conf_dir }}/elasticsearch.yml
  when: install.changed

- name: RedHat/CentOS/Fedora | Restart elasticsearch with security configuration
  systemd:
    name: elasticsearch
    state: restarted
  when: install.changed

- name: RedHat/CentOS/Fedora | Copy the opendistro security internal users template
  template:
    src: "templates/internal_users.yml.j2"
    dest: "{{ es_sec_plugin_conf_path }}/internal_users.yml"
    mode: 0644
  run_once: true
  when: install.changed

- name: RedHat/CentOS/Fedora | Set the Admin user password
  shell: >
    sed -i 's,{{ admin_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ admin_password }} | tail -1)','
    {{ es_sec_plugin_conf_path }}/internal_users.yml
  run_once: true
  when: install.changed

- name: RedHat/CentOS/Fedora | Set the kibanaserver user pasword
  shell: >
    sed -i 's,{{ kibanaserver_password }},'$(sh {{ es_sec_plugin_tools_path }}/hash.sh -p {{ kibanaserver_password }} | tail -1)','
    {{ es_sec_plugin_conf_path }}/internal_users.yml
  run_once: true
  when: install.changed

- name: RedHat/CentOS/Fedora | Initialize the opendistro security index in elasticsearch
  shell: >
    sh {{ es_sec_plugin_tools_path }}/securityadmin.sh
    -cacert {{ conf_dir }}/root-ca.pem
    -cert {{ conf_dir }}/admin.pem
    -key {{ conf_dir }}/admin.key
    -cd {{ es_sec_plugin_conf_path }}/
    -nhnv -icl
    -h {{ hostvars[inventory_hostname]['ip'] }}
  run_once: true
  when: install.changed